Receive alert 4 hours later

Follow
Avatar
Network Support

I have a weird issue of getting alert after 4 hours of the event. Logs in the device sending syslog has correct time. When i query in sumo, i see the event happened for example at 2 pm while the event actually happened at 10 AM in the morning which is 4 hours earlier. However, if i check r"use receipt time" in sumo query dashboard, i do see the logs at actual time. So, how do i generate alert with checked "use receipt time"?

0

Comments

3 comments

Sort by Date Votes
  • Official comment
    Avatar
    Graham

    Hi There - this is likely a timezone issue. If you navigate to your collector management page (Manage Data > Collection) you will need to correct the syslog source's timezone by adjusting it to the timezone of the physical location those syslog messages are being generated in.

    Here is a screenshot for where to adjust:


    I hope this helps, let us know if you have additional questions here.

    Thanks,

    Graham

    Comment actions Permalink
  • Avatar
    Anil Baradia

    Even I am facing the same problem regarding time lag even after time zone modification. It is taking 20-30 minutes to reflect the logs in the dashboard. Is this time can be reducible?

    0
    Comment actions Permalink
  • Avatar
    Graham

    Hey Anil,

    There are many reasons data might be delayed getting to Sumo Logic. What type of log is this?

    Here's a query you can try to see the difference between when the event was generated and when we received it:

    _sourceCategory=<Your_Category_here>

    | ((_receipttime - _messagetime)/1000)/60 as timediffmins
    | timeslice 5m
    | avg(timediffmins) by _timeslice

     

    1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post